Link AD group to Indico group through Shibboleth SSO

GauthierIndico · February 10, 2022, 12:03pm

Hello there,
I’m reading this forum since some days and I can’t find something that could suits our configuration. I have also to confess that I’m not very good in authentication / identification process …
We are using Shibboleth for authentication in our Indico instance.
When we loggin to indico, I can see that shibboleth is requesting our sso service then POST the SAMLResponse to our instance https://indico-instance/Shibboleth.sso/SAML2/POST.
The payload is containing all group for one user, encoded with b64.
My question is what should I do to automatically create group when a user is logging ?

# SSO
AUTH_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'SSO',
        'attrs_prefix': '',
        'callback_uri': '/login/shib-sso/shibboleth',
    }
}
IDENTITY_PROVIDERS = {
    'shib-sso': {
        'type': 'shibboleth',
        'title': 'SSO',
        'identifier_field': 'USERID',
        'mapping': {
            'login': 'USERID',
            'email': 'EMAIL',
        },
        'trusted_email': True
    }
}

I tried to add

        'default_group_provider': True,

But it seems not working.
Should I add saml as IDENTITY_PROVIDERS in parrallele of shib-sso ?

ThiefMaster · February 10, 2022, 12:07pm

You cannot use groups with just Shibboleth - you need to connect indico to an LDAP server for this purpose. Login can still use SSO of course as long as you can match those SSO users to LDAP users. Our documentation contains and example for this which can also be done in a very similar way with Shibboleth:

GauthierIndico · February 16, 2022, 9:42am

Dear @ThiefMaster,
Thank you for your quick answer and sorry for my late one.
I will work on ladp side.

snapd · November 30, 2022, 8:45pm

Hi @GauthierIndico were you able to resolve this? I have a similar issue